Security VLAN?

[Matty]

Wanting to setup a security system with IP Cameras.

As the cameras will be outside I do not want someone to unplug a camera and have access to my network.

Is it possible to have a main VLAN and Security VLAN, where the main VLAN can access the cameras and record... but have the ports the cameras are connected to not have access to anything else? Sort of like one way traffic?
Any ideas on how to do this? Are there specific things I need to have on a switch? Will a managed switch be enough or is a fully managed switch needed?
Probably considering an Edge Switch or UniFi Switch by Ubiquity. Are these overkill for what I want to do? 

 

Cheers!

[IceWulf]

It really depends what type of stream the cameras have - if the footage is UDP transport (one way only) it may just work, but I would check on that first. It seems very simple to buy a managed switch (Cisco, Juniper, etc) and only accept the traffic you want from the cameras on the network. I'd probably get myself a cheap Catalyst Cisco 100MB switch and go from there on Ebay.

[Matty]

Was wanting to use the Ubiquiti dome cameras and maybe an NVR or just use my synology NAS. 
Ubiquiti has a list of ports the cameras require. Is it possible to open only the required ports on a single Ethernet port on a switch? 

[IceWulf]

1 minute ago, Matty said:

Was wanting to use the Ubiquiti dome cameras and maybe an NVR or just use my synology NAS. 
Ubiquiti has a list of ports the cameras require. Is it possible to open only the required ports on a single Ethernet port on a switch? 

On a managed switch it is totally doable. You could lock the traffic to mac addresses AND flow (what TCP/UDP ports). Still hackable? yes. But it will keep out the casuals.

[The Benjamins]

What you probably should do is set up a vlan for your normal lan and a vlan for cameras, then set firewall rules to not allow traffic to "talk" between vlans. what router do you have?

Edit:

I would set up 2 DHCP services on my router (192.168.1.xxx, 192.168.2.xxx)

create a firewall that blocked all traffic from any 192.168.2.xxx ip to any 192.168.1.xxx IP except for the camera management device (make it have a static IP) (192.168.1.100)

then the management device can do what it wants with the footage (send it to the NAS on 192.168.1.xxx)

 

either use 2 switches or 1 switch with 2 vlans setup to connect all the devices.

 

you might want to add other firewall rules to 192.168.2.xxx to limit or prevent internet access so a person can't just attach a AP to your camera LAN outside your house for free wifi.

 you can also use mac address filtering for added security on Vlan 192.168.2.xxx

[Matty]

Okay this is starting to make a lot more sense. I think I will need a pretty decent switch for this. My netgear prosafe switch doesn't have options like that. Would an edge switch be okay for this? Seems to have endless features, although expensive.
Also for router was considering the edge router lite also from ubiquity. Would like to go with the USG and have the awesome unifi management interface for all my network in one place, however it lacks a lot of features in its GUI compared the edge router lite, unless you go CLI. 

[The Benjamins]

5 minutes ago, Matty said:

Okay this is starting to make a lot more sense. I think I will need a pretty decent switch for this. My netgear prosafe switch doesn't have options like that. Would an edge switch be okay for this? Seems to have endless features, although expensive.
Also for router was considering the edge router lite also from ubiquity. Would like to go with the USG and have the awesome unifi management interface for all my network in one place, however it lacks a lot of features in its GUI compared the edge router lite, unless you go CLI. 

honestly it is mostly a management thing for the router, not the switch you can set the edgerouter lite to have eth0 as wan  eth1 as vlan1 (DHCP 192.168.1.xxx) and eth2 as vlan2 (DHCP 192.168.2.xxx) and use 2 dumb switches, or any old switch with vlan support (can be some used 24/48 port one off ebay for $50)

the firewall and stuff is managed by the router.

I have a edgetouter lite and have 2 DHCP's set up (only use one, other just kinda does nothing right now)